CVE-2025-13932 | THREATINT

Description

The SolisCloud API suffers from a Broken Access Control vulnerability, specifically an Insecure Direct Object Reference (IDOR), where any authenticated user can access detailed data of any plant by altering the plant_id in the request.

PUBLISHED Reserved 2025-12-02 | Published 2025-12-04 | Updated 2025-12-05 | Assigner icscert

HIGH: 8.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Default status

unknown

API v1

affected

API v2

affected

Credits

James Gallagher (@5G)

References

www.cisa.gov/news-events/ics-advisories/icsa-25-338-06 (url) government-resource

cve.org (CVE-2025-13932)

nvd.nist.gov (CVE-2025-13932)